Post navigation

I recently caved in and got myself an Apple iPhone. Working here at Sophos, my first question has to be “Do I need anti-virus software for it?”.

Given that the iPhone runs a stripped down version of OS X, and most die hard Macheads will tell you how secure OS X is, my initial thought was that the virus risk must be comparatively small. In addition to this the browser the iPhone uses is a modified version of Safari, again lulling me into feeling pretty safe – I’m using a comparatively secure browser on a comparatively secure operating system.

A comparatively small risk, however, is a long way from a zero risk. Here at Sophos we’re raised to be pretty paranoid, so I needed to do a little more digging around online to see how safe my new toy actually was.

Earlier on this year the first Trojan horse for the iPhone was discovered, yet in itself it seemed to be much more an irritant/warning shot than a genuine threat. The Trojan found its way onto unsuspecting users’ phones by posing as a firmware update. Once installed, however, no actual damage was done – problems only occured when users removed the bogus app and unknowingly removed other applications along with it. D’oh. Re-install the apps you want, and no harm done.

This Trojan was only able to target ‘jailbroken’ phones – ie iPhones which have been modified to allow the installation of third party applications. My original question then has expanded to ‘”Do I need AV software for my non-jailbroken iPhone?”. An out-of-the-box iPhone doesn’t give the user any means of running code on the device. If you get your iPhone off the shelf and get a legit contract with the authorised mobile provider you’ll be unable to run any third party apps. If you can’t run code, you can’t run malicious code. This again makes the phone itself infinitely less risky than many other alternatives out there. Couple this with OS X and Safari and I’ve got to be feeling pretty secure at this point.

One thing to be aware of though is that I could well be more vulnerable to some types of phishing attack whilst browsing from my phone than I would from my PC, due to the way URLs are displayed. If someone sends me a link embedded in an email, my phone won’t display the URL, making it that bit easier for dodgy folk to point me to dodgy websites and potentially steal personal information. As ever a good helping of common sense with a side of paranoia is the order of the day. Legitimate companies will never ask you to verify or provide any confidential information in an unsolicited email.

In this industry, as far as malware and scams go, it’s pretty much a case of ‘where there’s a will there’s a way’. It’s always possible that people will find different ways of executing malicious code on the iPhone. iPhone users, and indeed Mac users in general can’t afford to be smug about security. Vulnerabilities for the iPhone have emerged, and been patched, and no doubt will continue to emerge and be patched. As to whether these vulnerabilties pose a real threat, well, I’ll leave that to the mobile experts to decide. The user base for the iPhone itself is still fairly small – compare the number of iPhone users with the number of Windows users say, and then ask yourself which platform the bad guys would consider it more worthwhile spending time exploiting. As and when the user base grows I might well need to be more concerned.

So, if I’m a user who hasn’t modded my phone, and who keeps up to date with patches (easily done via synching with iTunes), things are looking pretty good security-wise. I wouldn’t be foolish enough to deem my phone 100% secure – I don’t know that you could ever apply that label to any device. A healthy paranoia can be a good thing. For the moment though, given the above, I’m content that there’s currently no need for any AV protection on my iPhone. It goes without saying of course that should a real malware threat for the iPhone emerge Sophos will investigate and inform as always.

All I need to do now is convince my other half that it wasn’t a ridiculous amount of money to spend on an unnecessary shiny new toy..